According to one traditional technique, security software companies may estimate that files are safe when the files are associated with valid program characteristics. Security vendors may include this technique in protocols or heuristics for detecting malware. Because safe files are frequently associated with valid program characteristics, this approach allows security vendors to efficiently determine that the files are safe. The approach also allows the security vendors to exclude the safe files from investigation beyond a cursory analysis for valid program characteristics.
Unfortunately, programmers with malevolent motives may associate malicious files with valid program characteristics to avoid detection by security vendors. As a result, these malicious files may increasingly evade detection. Accordingly, the instant disclosure identifies a need for improved methods for detecting malicious files that are disguising themselves as safe.